Skip to main content

Auto-Scaling for Palo Alto Networks VM-Series

GitHub Logo Terraform Logo

Reference

Requirements

NameVersion
terraform>= 1.3, < 2.0
google~> 4.54

Providers

NameVersion
archiven/a
google~> 4.54
randomn/a

Modules

No modules.

Resources

NameType
google_cloudfunctions2_function.delicensing_cfnresource
google_compute_autoscaler.zonalresource
google_compute_instance_group_manager.zonalresource
google_compute_instance_template.mainresource
google_compute_region_autoscaler.regionalresource
google_compute_region_instance_group_manager.regionalresource
google_logging_project_sink.delicensing_cfnresource
google_project_iam_member.delicensing_cfnresource
google_project_iam_member.delicensing_cfn_invokerresource
google_pubsub_subscription.mainresource
google_pubsub_subscription_iam_member.mainresource
google_pubsub_topic.delicensing_cfnresource
google_pubsub_topic.mainresource
google_pubsub_topic_iam_member.pubsub_sink_memberresource
google_secret_manager_secret.delicensing_cfn_pano_credsresource
google_service_account.delicensing_cfnresource
google_storage_bucket.delicensing_cfnresource
google_storage_bucket_object.delicensing_cfnresource
google_vpc_access_connector.delicensing_cfnresource
random_id.postfixresource
archive_file.delicensing_cfndata source
google_compute_default_service_account.maindata source
google_compute_zones.maindata source

Inputs

NameDescriptionTypeDefaultRequired
autoscaler_metricsA map with the keys being metrics identifiers (e.g. custom.googleapis.com/VMSeries/panSessionUtilization). Each of the contained objects has attribute target which is a numerical threshold for a scale-out or a scale-in. Each zonal group grows until it satisfies all the targets. Additional optional attribute type defines the metric as either GAUGE, DELTA_PER_SECOND, or DELTA_PER_MINUTE. For full specification, see the metric inside the provider doc.map
{
  "custom.googleapis.com/VMSeries/panSessionThroughputKbps": {
    "target": 700000
  },
  "custom.googleapis.com/VMSeries/panSessionUtilization": {
    "target": 70
  }
}
no
cooldown_periodThe number of seconds that the autoscaler should wait before it starts collecting information from a new VM-Series. This prevents the autoscaler from collecting information when the VM-Series is initializing, during which the collected usage would not be reliable. Virtual machine initialization times might vary because of numerous factors.number480no
create_pubsub_topicSet to true to create a Pub/Sub topic and subscription. The Panorama Google Cloud Plugin can use this Pub/Sub to trigger actions when the VM-Series Instance Group descales. Actions include, removal of VM-Series from Panorama and automatic delicensing (if VM-Series BYOL licensing is used). For more information, please see Autoscaling the VM-Series on GCP.booltrueno
delicensing_cloud_function_configDefining delicensing_cloud_function_config enables creation of delicesing cloud function and related resources.
The variable contains the following configuration parameters that are related to Cloud Function:
- name_prefix - Resource name prefix
- function_name - Cloud Function base name
- region - Cloud Function region
- bucket_location - Cloud Function source code bucket location
- panorama_address - Panorama IP address/FQDN
- panorama2_address - Panorama 2 IP address/FQDN. Set if Panorama is in HA mode
- vpc_connector_network - Panorama VPC network Name
- vpc_connector_cidr - VPC connector /28 CIDR.
VPC connector will be user for delicensing CFN to access Panorama VPC network.


Example:
{
  name_prefix           = "abc-"
  function_name         = "delicensing-cfn"
  region                = "europe-central1"
  bucket_location       = "EU"
  panorama_address      = "1.1.1.1"
  panorama2_address     = ""
  vpc_connector_network = "panorama-vpc"
  vpc_connector_cidr    = "10.10.190.0/28"
}
object({
    name_prefix           = string
    function_name         = string
    region                = string
    bucket_location       = string
    panorama_address      = string
    panorama2_address     = string
    vpc_connector_network = string
    vpc_connector_cidr    = string
  })
nullno
disk_typeThe disk type that is attached to the instances of the VM-Series firewalls.string"pd-ssd"no
imageLink to VM-Series PAN-OS image. Can be either a full self_link, or one of the shortened forms per the provider doc.string"https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries-byol-1014"no
machine_typeThe instance type for the VM-Series firewalls.string"n2-standard-4"no
max_vmseries_replicasThe maximum number of VM-Series per region/zone that the autoscaler can scale up to. The maximum number of VM-Series should not be lower than min_vmseries_replicas.numbern/ayes
metadataMetadata for VM-Series firewall. The metadata is used to perform mgmt-interface-swap and for bootstrapping the VM-Series.

Ex 1: Partial bootstrap to Panorama
metadata = {
    type                        = "dhcp-client"
    op-command-modes            = "mgmt-interface-swap"
    vm-auth-key                 = "012345601234560123456"
    panorama-server             = "1.1.1.1"
    dgname                      = "my-device-group"
    tplname                     = "my-template-stack"
    dhcp-send-hostname          = "yes"
    dhcp-send-client-id         = "yes"
    dhcp-accept-server-hostname = "yes"
    dhcp-accept-server-domain   = "yes"
  }
Ex 2: Full configuration bootstrap from Google storage bucket.
metadata = {
    mgmt-interface-swap                  = "enable"
    vmseries-bootstrap-gce-storagebucket = "your-bootstrap-bucket"
    ssh-keys                             = "admin:your-public-key"
  }
map(string){}no
min_cpu_platformThe minimum CPU platform for the instance type of the VM-Series firewalls.string"Intel Cascade Lake"no
min_vmseries_replicasThe minimum number of VM-Series per region/zone that the autoscaler can scale down to. This cannot be less than 0.numbern/ayes
nameThe name of the VM-Series deployed. This value will be used as the base_instance_name and will be used as a prepended prefix for other created resources.stringn/ayes
named_portsA list of named port configurations. The name identifies the backend port to receive the traffic
from the global load balancers.
named_ports = [
  {
    name = "http"
    port = "80"
  },
  {
    name = "app42"
    port = "4242"
  },
]
list[]no
network_interfacesList of the network interface specifications.

Available options:
- subnetwork - (Required|string) Self-link of a subnetwork to create interface in.
- create_public_ip - (Optional|boolean) Whether to reserve public IP for the interface.		list(any)n/ayes
project_idGCP Project ID to contain the created cloud resources.stringnullno
regionThe Google Cloud region for the resources. If null, provider region will be used.stringnullno
regional_migSets the managed instance group type to either a regional (if true) or a zonal (if false).
For more information please see About regional MIGs.		booln/ayes
scale_in_control_replicas_fixedFixed number of VM-Series instances that can be killed within the scale-in time window. See scale_in_control in the provider doc.number1no
scale_in_control_time_window_secHow far (in seconds) autoscaling should look into the past when scaling down.number1800no
scopesA list of service scopes. Both OAuth2 URLs and gcloud short names are supported. See a complete list of scopes here.list(string)
[
  "https://www.googleapis.com/auth/compute.readonly",
  "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
  "https://www.googleapis.com/auth/devstorage.read_only",
  "https://www.googleapis.com/auth/logging.write",
  "https://www.googleapis.com/auth/monitoring.write"
]
no
service_account_emailIAM Service Account applied to the VM-Series instances.stringnullno
tagsTags to attach to the instancelist(string)[]no
target_poolsA list of target pool URLs to which the instance groups are added. Updating the target pools attribute does not affect existing VM-Series instances.list(string)nullno
update_policy_typeWhat to do when the underlying template changes (e.g. PAN-OS upgrade). OPPORTUNISTIC is the only recommended value. Also PROACTIVE is allowed.string"OPPORTUNISTIC"no
zonesA map of the zone names for zonal managed instance groups. A managed instance group will be created for every zone entered.
Required if regional_mig is set to false.		map(string){}no

Outputs

NameDescription
pubsub_subscription_iam_member_etagThe etag of the Pub/Sub IAM Member.
pubsub_subscription_idThe resource ID of the Pub/Sub Subscription.
pubsub_topic_idThe resource ID of the Pub/Sub Topic.
regional_instance_group_idThe resource ID of the regional VM-Series managed instance group. This output should only be used when regional_mig is set to true.
zonal_instance_group_idsThe resource IDs of the zonal VM-Series managed instance groups. This output should only be used when regional_mig is set to false.